Technical Lab: Choose between Azure private peering only, Microsoft peering only, or both
Questionsβ
Question 1 β Multiple Choiceβ
A financial services company has critical workloads on virtual machines within a VNet in Azure. The network team needs to connect the on-premises datacenter to Azure via ExpressRoute, ensuring that traffic destined for VMs never passes through the public internet.
Which type of peering should be configured to exclusively meet this requirement?
A) Microsoft peering, as it provides private connectivity with Azure PaaS services
B) Azure private peering, as it extends the on-premises network address space to Azure VNets
C) Both peerings are necessary, as private peering alone does not support VM traffic
D) Microsoft peering with default route advertisement, as this ensures VM traffic doesn't use the internet
Question 2 β Technical Scenarioβ
An organization configured an ExpressRoute circuit with Azure private peering to access their VMs in Azure. After a few weeks, the security team requests that access to Microsoft 365 and Azure Storage (public endpoint) also go through the ExpressRoute circuit, without using the internet.
The network engineer proposes simply adding static routes in the VNet pointing to the ExpressRoute gateway. Does this approach solve the problem?
A) Yes, because static routes on the ExpressRoute gateway redirect any traffic, including public Microsoft services traffic
B) No, because private peering doesn't advertise the IP address prefixes of public Microsoft services; Microsoft peering must be enabled
C) Yes, as long as BGP is configured to accept routes with next-hop pointing to public endpoints
D) No, because accessing Microsoft 365 via ExpressRoute requires a separate dedicated circuit, regardless of peering type
Question 3 β True or Falseβ
An ExpressRoute circuit with only Microsoft peering configured is sufficient to ensure private connectivity between the on-premises environment and virtual machines hosted in an Azure VNet, without needing Azure private peering.
Question 4 β Technical Scenarioβ
A healthcare company uses an ExpressRoute circuit and needs to simultaneously meet two requirements:
- Private communication between the on-premises datacenter and applications on VMs within an Azure VNet
- Access to Azure SQL Database via public endpoint and Exchange Online through the circuit, without going through the internet
The responsible engineer evaluates the options below. Which configuration correctly meets both requirements?
Option 1: Private peering only
Option 2: Microsoft peering only
Option 3: Private peering + Microsoft peering
Option 4: Microsoft peering + VNet Gateway with default route
A) Option 1, because private peering can be extended to cover PaaS services using Private Endpoints
B) Option 2, because Microsoft peering encompasses both public services and VNet access
C) Option 3, because each peering covers a distinct routing domain and neither substitutes the other
D) Option 4, because the default route advertised via Microsoft peering can force VM traffic through the circuit
Question 5 β Multiple Choiceβ
When comparing Azure private peering and Microsoft peering in an ExpressRoute circuit, which of the following statements correctly describes a fundamental difference between the two?
A) Private peering uses routable public IP addresses to establish the BGP session, while Microsoft peering uses private IP addresses from the VNet
B) Microsoft peering requires the customer to own or lease a block of validated public IP addresses to configure the BGP session, while private peering uses private IP addresses
C) Only Microsoft peering supports the BGP protocol; private peering uses static routing by default
D) Private peering and Microsoft peering share the same BGP routing table, differing only in the advertised prefixes
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
Azure private peering is the routing domain designed specifically to connect the on-premises environment to Azure VNets, extending the private address space to virtual networks. Traffic destined for VMs uses private IP addresses and never transits through the public internet when routed through this peering.
The main misconception represented by the distractors is confusing routing domains: Microsoft peering doesn't provide access to resources within VNets; it's directed at services with public endpoints. Choosing Microsoft peering to access VMs would result in connectivity failure, as VNet prefixes are not advertised by this domain.
Answer Key β Question 2β
Answer: B
Azure private peering operates exclusively with private IP address prefixes from VNets. Services like Microsoft 365 and Azure Storage (public endpoint) have public IP addresses and their prefixes are advertised only by Microsoft peering. Adding static routes in the VNet doesn't solve the problem because the circuit itself, in the private peering domain, doesn't advertise or accept these public prefixes.
The conceptual error in alternatives A and C is assuming that the data plane can be manipulated by local routing configurations to circumvent the structural separation between peering domains. Alternative D represents a misconception about ExpressRoute architecture: both peerings can coexist on the same circuit.
Answer Key β Question 3β
Answer: False
Microsoft peering provides connectivity only with Microsoft services that have public endpoints, such as Microsoft 365, Azure Storage, and other PaaS services via public IPs. It doesn't advertise or route traffic destined for private IP addresses of VNets.
To access VMs in a VNet, Azure private peering is mandatory. This is a deliberate architectural separation: the two peerings operate on completely distinct BGP routing tables. Confusing the scopes of the two domains is one of the most common errors when sizing an ExpressRoute circuit.
Answer Key β Question 4β
Answer: C
The two requirements belong to distinct and mutually exclusive routing domains in ExpressRoute. Azure private peering is the only path for traffic between on-premises and VMs in VNets. Microsoft peering is the only path for services like Azure SQL Database via public endpoint and Exchange Online.
Alternative A represents a subtle misconception: Private Endpoints do allow accessing PaaS services with private IPs within the VNet, but this assumes the VNet is already accessible via private peering, and traffic still leaves on-premises through this domain. It doesn't eliminate the need for Microsoft peering for services without Private Endpoint, like Exchange Online. Alternative B is incorrect because Microsoft peering has no visibility into VNets.
Answer Key β Question 5β
Answer: B
A critical operational difference between the two peerings lies in the addressing requirements for the BGP session. Microsoft peering requires the customer to use registered public IP addresses (owned or provided by the connectivity provider) to establish the BGP session and advertise prefixes. This is necessary because Microsoft peering operates in the public internet routing space.
Azure private peering, on the other hand, uses private IP addresses for the BGP session, reflecting its scope of operation within the private address space of VNets.
Alternative A incorrectly reverses the relationship. Alternative C is false: both peerings use BGP. Alternative D is incorrect because each peering maintains its own isolated BGP routing table, which is precisely the mechanism that ensures domain separation.